Security Experts Debate Danger of Computing Monoculture

Dan Geer and Microsoft's Scott Charney debate the issue of multiple operating systems on the Net.

Ten months after co-authoring a paper positing that Microsoft Corp.s dominance in the operating system market is a hazard to the security of the Internet—a claim that cost him his job—Dan Geer has lost none of the zeal for the fight.

Geer, now the chief scientist at security vendor Verdasys Inc., in Waltham, Mass., defended his position as forcefully as ever at a recent debate on the topic with Scott Charney, Microsofts chief security strategist. With the Usenix Annual Technical Conference here as a backdrop, a standing-room-only crowd backed Geer—former president of Usenix and respected security researcher—in his assertion that the Windows "monoculture" threatens the Internets safety.

"A computing monoculture is a danger; it is a security danger, and it is a national security danger," said Geer, who holds a doctorate in biostatistics from Harvard University and did pioneering work on Project Athena, a networked computing venture, and the Kerberos system at the Massachusetts Institute of Technology. "An ecosystem that is low on diversity is in danger. It is the predators who force the prey to diversify."

Geers paper, published last September and written with security expert Bruce Schneier, among others, ruffled Microsoft feathers and, said Geer, ended up costing him his job as chief technology officer of @Stake Inc., which does business with the Redmond, Wash., software maker. Officials at Microsoft and @Stake, of Cambridge, Mass., denied at the time that Microsoft played any role in Geers firing.

In his fast-paced Usenix presentation, Geer seemed more revival-meeting preacher than scientist. In fact, one of the questioners at the end of the debate called him "Reverend Dan." And to the Usenix members—wearing shirts with Linux logos and toting laptops running KDE on top of Debian or FreeBSD—Geers words played like gospel.

Geer argued that without a significant diversity of operating systems on the Net, the network is at constant risk of a major disruption, thanks to the target bases homogeneity. If a handful of operating systems each owned a sizable chunk of the market, the number of machines potentially affected by an attack would be far lower, thus minimizing the effect on the Internet.

Comparing the Windows monopoly to the agricultural world, Geer said that just as stubborn farmers who grew only cotton saw their crops devastated by the boll weevil, enterprises that fail to diversify are setting themselves up for failure. "All monocultures live on borrowed time," he said. "We farm data and electrons. Are we so vain to imagine that we are not subject to the laws of nature?"

Charney, the second to speak, was decidedly the visiting team. But Charney, a former federal prosecutor, was hardly overmatched. As a former colleague quipped, Charneys participation in the debate equaled "throwing the lion to the Christians."

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog. Sensing the need to gain friends, Charney related how he came to be the Department of Justices lead prosecutor for cyber-crime in the 90s. After his boss saw him creating DOS subdirectories, Charney was deemed a "computer expert" and nominated to head a new computer-crime unit. The story drew many laughs.

But Charney wasted little time laying out his problems with Geers thesis. He assailed Geer and his co-authors for advocating "forced diversity" and not allowing the market to dictate which products are most successful. Charney cited the spread of last years SQL Slammer worm as an example of what little difference he believes diversity would make. The worm infected a tiny fraction of 1 percent of the machines on the Internet, yet the traffic it generated had a measurable effect on the networks performance during the peak of the outbreak.

"If a very small percentage of machines can have a broad effect, wed have to diversify operating systems not into two but into millions," Charney said. "Its not really clear to me how thats going to work in practice."

What was clear by the end of the debate was that many audience members agreed with more of Charneys points than they thought they would. But that didnt stop the anti-Microsoft faction from scoring perhaps the best point of the afternoon. In a question-and-answer period, a slight, ponytailed man went to the microphone and said: "Mr. Charney, I just wanted to say that I believe the single most dangerous piece of software ever written is [Internet Explorer]."

As the crowd clapped and laughed, Charney simply smiled and shook his head.

Check out eWEEK.coms Security Center at http://security.eweek.com for the latest security news, reviews and analysis.

Be sure to add our eWEEK.com developer and Web services news feed to your RSS newsreader or My Yahoo page